> but i try to this command > > openssl s_client -connect mail.mydomain:pop3s -starttls imap > > it says CONNECTED and hang. second command is correct?Uh, "pop3s" != "imap", and IMAP/STARTTLS is not the same as IMAP/SSL (or whatever the hell the terminology is nowadays). If you're testing IMAP, try one or the other or both depending of how many flavours of SSL you got going. openssl s_client -starttls imap -connect mail.mydomain:143 openssl s_client -connect mail.mydomain:993 Joseph Tam <jtam.home at gmail.com>
Ok, i understand the difference. openssl s_client -starttls imap -connect mail.mydomain:143 openssl s_client -connect mail.mydomain:993 these command runs as expected. i know this forum isn2T about thunderbird but, when setup account in thunderbird 993 port and with SSL, i see this line on dovecot.log TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher our dovecot (2.0.9 on redhat) 10-ssl.conf file we have ssl_cipher_list kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES:!SSLv3 settings. this settings is correct for dovecot ? if they correct , can we say there is problem for thunderbird ? :) thanks in advance On Tue, Jan 9, 2018 at 3:59 AM, Joseph Tam <jtam.home at gmail.com> wrote:> > but i try to this command >> >> openssl s_client -connect mail.mydomain:pop3s -starttls imap >> >> it says CONNECTED and hang. second command is correct? >> > > Uh, "pop3s" != "imap", and IMAP/STARTTLS is not the same as IMAP/SSL (or > whatever the hell the terminology is nowadays). > > If you're testing IMAP, try one or the other or both depending > of how many flavours of SSL you got going. > > openssl s_client -starttls imap -connect mail.mydomain:143 > openssl s_client -connect mail.mydomain:993 > > Joseph Tam <jtam.home at gmail.com> >-- Sel?uk YAZAR http://www.selcukyazar.blogspot.com -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20180109/d077e18f/attachment.html>
> our dovecot (2.0.9 on redhat) 10-ssl.conf file we have > > ssl_cipher_list > kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:! > aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES:!SSLv3 > > settings.? > > this settings is correct for dovecot ? if they correct , can we say there is > problem for thunderbird ? :)I think you should fix your dovecot cipher list using the guidance from Mozilla's security team: https://wiki.mozilla.org/Security/Server_Side_TLS If your server is accessible from the web, you can run this test (it gives you very helpful advice for configuring your cipherlist): https://www.htbridge.com/ssl You can also test your setup with the script from this site (you will have to download some files but you can run it even if your server is not connected to the internet). https://testssl.sh/ Ryan
Apparently Analagous Threads
- BUG: _presence_ of valid openssl.cnf Option = 'ServerPreference' causes Dovecot submission relay FAIL: "failed: Failed to initialize SSL: ..."
- openssl question
- Outlook and TLSv.1
- Bugreport: managesieve-login won't start without a ssl-key
- Read-flag of mails don't update